Announcement Announcement Module
No announcement yet.
Problem with curly brackets in state parameter Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem with curly brackets in state parameter


    I am working on the open source ORCID project, which uses Spring Security Oauth to provide OAuth2 to client applications.

    A client application is using the 'state' parameter in the authorization code flow, as recommended in the OAuth2 specification.

    They are putting a JSON style string into the state parameter. Here is the string before URL encoding.

    state={"source":"account","j_id":"10","p_id":"8537 0","form_type":"get_orcid"}

    However, this seems to cause an exception when the user confirms authorization.

    Here's how it looks using curl.

    curl -i -b 'JSESSIONID=8D51E8E6BBCBE3872FBBBE1794BD866D' ' 2F%2Flocalhost:8989%2Fjopmts%2Forcid%2Finfo&client _id=0000-0003-4222-0282&scope=%2Forcid-profile%2Fread-protected&state=%7B%22source%22%3A%22account%22%2C %22j_id%22%3A%2210%22%2C%22p_id%22%3A%2285370%22%2 C%22form_type%22%3A%22get_orcid%22%7D'

    curl -i -L -b 'JSESSIONID=AD574FEBDE53BDA2339BDD54B53A8F44' --data "user_oauth_approval=true" ''

    HTTP/1.1 500 Internal Server Error
    Server: Apache-Coyote/1.1
    Content-Type: text/html;charset=utf-8
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Date: Fri, 01 Jun 2012 14:38:41 GMT
    Connection: close


    org.springframework.web.util.NestedServletExceptio n: Request processing failed; nested exception is java.lang.IllegalArgumentException: Model has no value for '&quot;source&quot;:&quot;account&quot;,&quot;j_id &quot;:&quot;10&quot;,&quot;p_id&quot;:&quot;85370 &quot;,&quot;form_type&quot;:&quot;get_orcid&quot; '
    org.springframework.web.servlet.FrameworkServlet.p rocessRequest(
    org.springframework.web.servlet.FrameworkServlet.d oPost(
    javax.servlet.http.HttpServlet.service(HttpServlet .java:641)
    javax.servlet.http.HttpServlet.service(HttpServlet .java:722)$ VirtualFilterChain.doFilter( 311)
    org.orcid.frontend.web.filters.TermsAndConditionsA cceptanceCheckFilter.doFilterInternal(TermsAndCond
    org.springframework.web.filter.OncePerRequestFilte r.doFilter($ VirtualFilterChain.doFilter( 323) FilterSecurityInterceptor.invoke(FilterSecurityInt FilterSecurityInterceptor.doFilter(FilterSecurityI$ VirtualFilterChain.doFilter( 323) ranslationFilter.doFilter(ExceptionTranslationFilt$ VirtualFilterChain.doFilter( 323) nagementFilter.doFilter(SessionManagementFilter.ja va:101)$ VirtualFilterChain.doFilter( 323) onymousAuthenticationFilter.doFilter(AnonymousAuth$ VirtualFilterChain.doFilter( 323) tyContextHolderAwareRequestFilter.doFilter(Securit$ VirtualFilterChain.doFilter( 323) estCacheAwareFilter.doFilter(RequestCacheAwareFilt$ VirtualFilterChain.doFilter( 323) stractAuthenticationProcessingFilter.doFilter(Abst$ VirtualFilterChain.doFilter( 323) gout.LogoutFilter.doFilter($ VirtualFilterChain.doFilter( 323) ontextPersistenceFilter.doFilter(SecurityContextPe$ VirtualFilterChain.doFilter( 323) tSessionFilter.doFilter(ConcurrentSessionFilter.ja va:125)$ VirtualFilterChain.doFilter( 323) doFilter(
    org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(
    org.springframework.web.filter.DelegatingFilterPro xy.doFilter( gerInViewFilter.doFilterInternal(OpenEntityManager
    org.springframework.web.filter.OncePerRequestFilte r.doFilter(
    org.springframework.web.filter.CharacterEncodingFi lter.doFilterInternal( :88)
    org.springframework.web.filter.OncePerRequestFilte r.doFilter(


    It looks like RedirectView is trying to interpret the curly brackets as a placeholder to be replaced.

    I suspect this could be fixed in by setting the following on the RedirectView object.


    Any thoughts?

    Best regards,


  • #2
    The client is supposed to verify that the state is the same as it sent in in the original authorization request. I have my doubts that it can do that if it doesn't store some state itself, and then the usual approach of sending an opaque key, not a JSON object, would work better. So I would question why your client is doing that.

    However, I also don't immediately see why the expand template flag can't be set to false as we don't put any templates in there intentionally in the AuthorizationEndpoint. I'm slightly hesitant as well though because that flag is really useful when you need it and I don't want to close off that option for ever. I suppose we could give the state parameter some special treatment, since it is just a passthru, and that might be preferable (e.g. actually require a template to be used and populate its value with the state supplied by the client). Any offers?